SYMBOLCOMMON_NAMEaka. SYNONYMS
win.liteduke (Back to overview)

LiteDuke

Actor(s): APT 29


According to CarbonBlack, LiteDuke is a third stage backdoor. It appears to use the same dropper as PolyglotDuke. Its payload makes use of an AES encrypted SQLite database to store its configuration. LiteDuke supports a large number of individual commands including host information retrieval, file upload and download, and the ability to execute other code. LiteDuke C2 servers appear to be compromised servers, and the malware communicates with them using normal HTTP requests. It attempts to use a realistic User-Agent string to blend in better with normal HTTP traffic.
ESET have dubbed it LiteDuke because it uses SQLite to store information such as its configuration.

References
2020-05-18One Night in NorfolkKevin Perlow
@online{perlow:20200518:looking:eaa7bde, author = {Kevin Perlow}, title = {{Looking Back at LiteDuke}}, date = {2020-05-18}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/looking-back-at-liteduke/}, language = {English}, urldate = {2020-05-18} } Looking Back at LiteDuke
LiteDuke
2020-03-26VMWare Carbon BlackScott Knight
@online{knight:20200326:dukes:df85f94, author = {Scott Knight}, title = {{The Dukes of Moscow}}, date = {2020-03-26}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/}, language = {English}, urldate = {2020-05-18} } The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
Yara Rules
[TLP:WHITE] win_liteduke_auto (20211008 | Detects win.liteduke.)
rule win_liteduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.liteduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff7518 ff35???????? ff15???????? ff7508 ff35???????? ff15???????? 8b450c }
            // n = 7, score = 200
            //   ff7518               | push                dword ptr [ebp + 0x18]
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_1 = { 31c0 aa 5f 5b 5e c9 c20800 }
            // n = 7, score = 200
            //   31c0                 | xor                 eax, eax
            //   aa                   | stosb               byte ptr es:[edi], al
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c20800               | ret                 8

        $sequence_2 = { 58 83c020 68???????? 50 ff15???????? 68???????? ff742408 }
            // n = 7, score = 200
            //   58                   | pop                 eax
            //   83c020               | add                 eax, 0x20
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   68????????           |                     
            //   ff742408             | push                dword ptr [esp + 8]

        $sequence_3 = { 51 ffb5ecfcffff ff15???????? 09c0 7541 8d55f8 }
            // n = 6, score = 200
            //   51                   | push                ecx
            //   ffb5ecfcffff         | push                dword ptr [ebp - 0x314]
            //   ff15????????         |                     
            //   09c0                 | or                  eax, eax
            //   7541                 | jne                 0x43
            //   8d55f8               | lea                 edx, dword ptr [ebp - 8]

        $sequence_4 = { ff7518 ff15???????? d1e0 8945e8 b800100000 d1e0 }
            // n = 6, score = 200
            //   ff7518               | push                dword ptr [ebp + 0x18]
            //   ff15????????         |                     
            //   d1e0                 | shl                 eax, 1
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   b800100000           | mov                 eax, 0x1000
            //   d1e0                 | shl                 eax, 1

        $sequence_5 = { ff15???????? 83c408 8b5b08 09db 0f8568ffffff c785fafeffff01000000 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8
            //   8b5b08               | mov                 ebx, dword ptr [ebx + 8]
            //   09db                 | or                  ebx, ebx
            //   0f8568ffffff         | jne                 0xffffff6e
            //   c785fafeffff01000000     | mov    dword ptr [ebp - 0x106], 1

        $sequence_6 = { 8b5514 0116 8b4d1c 41 51 }
            // n = 5, score = 200
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]
            //   0116                 | add                 dword ptr [esi], edx
            //   8b4d1c               | mov                 ecx, dword ptr [ebp + 0x1c]
            //   41                   | inc                 ecx
            //   51                   | push                ecx

        $sequence_7 = { 627974 657300 7371 6c 697465335f737465 7000 }
            // n = 6, score = 200
            //   627974               | bound               edi, qword ptr [ecx + 0x74]
            //   657300               | jae                 3
            //   7371                 | jae                 0x73
            //   6c                   | insb                byte ptr es:[edi], dx
            //   697465335f737465     | imul                esi, dword ptr [ebp + 0x33], 0x6574735f
            //   7000                 | jo                  2

        $sequence_8 = { ff35???????? ff35???????? ff35???????? 57 ff15???????? ff7604 8f45ec }
            // n = 7, score = 200
            //   ff35????????         |                     
            //   ff35????????         |                     
            //   ff35????????         |                     
            //   57                   | push                edi
            //   ff15????????         |                     
            //   ff7604               | push                dword ptr [esi + 4]
            //   8f45ec               | pop                 dword ptr [ebp - 0x14]

        $sequence_9 = { ff35???????? ff15???????? 09c0 0f8423010000 8945fc ff7508 }
            // n = 6, score = 200
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   09c0                 | or                  eax, eax
            //   0f8423010000         | je                  0x129
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   ff7508               | push                dword ptr [ebp + 8]

    condition:
        7 of them and filesize < 1171456
}
Download all Yara Rules